General

  • Target

    purchase order.exe

  • Size

    887KB

  • Sample

    201126-1ewgrapzb6

  • MD5

    975187a07455d3cbf38ec878d893b490

  • SHA1

    af8ddbf775cdb9dbd3776f717c192094202127be

  • SHA256

    009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b

  • SHA512

    378768e3aa1a49e6dce7a83197c1eceb86111422a6886fbe9e3ba7df75ce2bdb0f0979620a8eb905153caf276b43a23dd19885ff487586b3069a515cceb15222

Malware Config

Extracted

Family

formbook

C2

http://www.firedoom.com/sbmh/

Decoy

edlasyarns.com

rettexo.com

friendlyksa.com

westhighlandwaytours.com

goudmarket.com

turkime.com

wellnysdirect.com

handydanny.net

ylccmakq.com

benefits-sherpa.com

sousolutions.net

lspcall.com

makgxoimisitzer.info

katrinarask.com

istanbulconsulter.net

mingjiaxuan.com

faculdadegraca.com

kikegbwebdesign.com

69ase.com

downrangedynamics.com

Targets

    • Target

      purchase order.exe

    • Size

      887KB

    • MD5

      975187a07455d3cbf38ec878d893b490

    • SHA1

      af8ddbf775cdb9dbd3776f717c192094202127be

    • SHA256

      009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b

    • SHA512

      378768e3aa1a49e6dce7a83197c1eceb86111422a6886fbe9e3ba7df75ce2bdb0f0979620a8eb905153caf276b43a23dd19885ff487586b3069a515cceb15222

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks